post

How To: VMware vCenter Orchestrator 5.5 Installation

by Posted in How-To, vCO, VMware Tagged , , , , , 2 Comments

I’ve started to play around with the idea of Orchestration and Automation a bit more in the past few weeks. The recent Melbourne VMUG rekindled my interest in the area once again so I’m trying to find the time to play around with a few different applications and see what fits. One of the most versatile and capable products out there for VMware orchestration is VMware vCenter Orchestrator (now called vRealize Orchestrator) and the fact that it’s free with your vCenter server license means there’s really little to no excuse for not learning the product and adding another skill to your virtualization armour.

DEPLOYMENT:

Step 1:

You can download vCenter Orchestrator appliance from the myVMware website. You’ll need a VMware login to get access to download. Make sure to download the OVA file as it just makes deployment easier. Once you have have downloaded the OVA, you can then deploy the template.

vco appliance deployment

Browse to your downloaded OVA file and once selected click Next.

vco select ova

Read More

post

How-To: VMware vRealize Log Insight Installation

by Posted in How-To, VMware, vRealize Suite Tagged , , , Leave a comment

As part of some recent evaluation work I did on vRealize Operations Manager and following a discussion with our VMware rep I installed vRealize Log Insight. It’s a product I’ve heard about before, largely in conjunction with EVO:RAIL as its part of the automatic deployment, but not a product that I’ve really seen a need for. As part of the vRealize Suite it links nicely into vROps so I thought why not give it a chance and see what it can do. So far I’ve been impressed. I’ve only configured it to monitor my VMware environment but it is also possible to get data from devices outside on the virtual platform. For want of a better example you can see Log Insight as a syslog server or a Splunk Server. There may be other ways of installing vRealize Log Insight Manager but below are the steps I followed to get the platform off the ground and it follows the similar steps to my earlier How-To: VMware vRealize Operations Manager Installation guide

DEPLOYMENT:

Step 1:

Go to VMware vRealize Log Insight  web page and download the vRealize Log Insight  OVA file. You will need a VMware account for this and you will also get a 60-day trial license key. You can also check out the VMware vRealize Log Insight Getting Started Guide and the vRealize Log Insight Administration Guide for more information of what to do within Log Insight. Once you have downloaded the appliance you can go into vCenter and select Deploy from OVF Template.

vrealize log insight installation step 1

Step 2:

Browse to the downloaded OVA file, select and click Open

vrealize log insight installation step 2Step 3: Read More

Fix: VMware 5.5 Importing VMDK to VM – Failed to open disk scsi0:0

by Posted in Fix, VMware Tagged , , , 2 Comments

I’m currently assisting on a project for Big Data which requires some VMDKs to be imported and added to existing VMs. I really don’t understand why the vendor doesn’t supply an appliance to import rather than having to build out multiple nodes from a VMDK file. The only redeeming factor among all this is that it’s only a proof of concept but my concerns have been raised about a proper production deployment. A request was made to add the VMDK supplied to 4 existing VMs which were essentially just shells waiting for disk to be assigned/attached. I copied the VMDK into the folder of one of the VMs, attached the disk to the VM and when I went to power it on I got the following error:

Failed to open disk scsi0:0: Unsupported or invalid disk type 7. Ensure the disk has been imported

failed to open disk scsi0:0 unsupported or invalid disk type

The VMDK was obviously from a different version of vSphere and required the disk to be re-imported and also configured to zeroedthick. The steps followed to resolve this issue were:

  1. Enable SSH access to ESXi host via the Security Profile under Configuration.
  2. Open a putty SSH session to the ESXi host
  3. Change directory to the folder of the VM: cd /vmfs/volumes/<datastore>/<VM_folder>
  4. Run the vmkfstools utility to clone the VMDK as zeroedthick: vmkfstools -i imported_disk.vmdk -d zeroedthick new_clone.vmdk
  5. Go to the datastore the VM resides on in vSphere and right-click the imported_disk.VMDK and select Delete from Disk
  6. Edit the settings of the VM and connect the new_clone.VMDK
  7. Power on the VM and the error is now gone
  8. Close the putty session and disable SSH access to ESXi host
post

How-To: VMware vRealize Operations Manager Installation

by Posted in How-To, vRealize Suite Tagged , , , , 8 Comments

I’ve recently being playing around with the vRealize Suite as part of on-going evaluations into various management tools. Today I’m going to cover the installation process for vRealize Operations Manager. There have been a number of improvements in the latest version of Operations Manager. It was not just a name change from vCOPS to vROps as part of the latest release, there have been a number of great features added and I think VMware have finally put the effort into making their management suite of products work cohesively. I’m not going to go into the ream of features and updates to vRealize Operations Manager as others have done a far better job at that than I can but I can provide a step by step installation guide.

DEPLOYMENT

Step 1:

Go to VMware vRealize site and download a trial version of vROps. You will require a VMware account to do this and agree to any licensing. You can download the OVA file for vROps to your local computer. Once you have downloaded the appliance you can go into vCenter and select Deploy from OVF Template

vrops deployment step 1

Step 2:

Select the OVA file just downloaded and click Next

vrops deployment step 2 Read More

post

VMTurbo Operations Manager- The Tesla of virtualisation management solutions

by Posted in Monitoring, VMTurbo Tagged , , Leave a comment

I do realise that comparing VMTurbo to Tesla is a bit much but it’s really not all that far away from the truth. When Tesla began designing their electric cars it was at a time when electric cars were unfashionable and some previous manufacturers had produced some real pieces of crap so most people were just thinking why bother. Why waste time on something that’s not going to sell? There’s already enough electric cars on the market by more traditional and trusted manufacturers. And this is where the link to VMTurbo comes in. VMTurbo has entered an already saturated market place with another monitoring tool. As with Tesla however, they have come to market with a product that does things very differently and rocked the status quo. VMTurbo is not just a monitoring tool but an analysis appliance that provides realtime recommendations and updates to reduce the number of alerts within virtual infrastructures and works towards keeping a desired state throughout the environment by supplying applications with the resources they require and ensure efficiency of available resource consumption. Two companies in different technological spaces are upsetting the market by thinking outside the box and finding novel solutions. If only VMTurbo had an Insane Mode like Tesla…

Over the past 10 years what has really changed with monitoring solutions? Well, not much. We now get more data and information to process but no real assistance regarding resolutions to fix issues. The most extensive monitoring solution I’ve used before is Microsoft SCOM, it’s just immense, and it covers all the way from application down to the virtual layer (with some assistance from 3rd party products for VMware like Veeam MP for VMware) but it’s just too big and time consuming and the recommendations provided in the alerts are really just pointing back to KB articles. And this has primarily been my concern with these tools. They are designed to provide as much information as possible to the point where the administrator/operator is getting overloaded and doesn’t know where to begin to fix the problem. Ideally these tools should analyse that data and provide actionable and automated recommendations so that it can intelligently keep your environment running efficiently. This would free up time spent by admins going through reams of data and allow them to work on adding value to the business rather than being stuck down some IT rabbit hole. VMware vCOPs does provide analysis and reports on anomalies and issues that cause peaks outside of thresholds and baselines but it doesn’t identify clearly what has caused this and even if it is something to investigate. I’ve spent countless hours tracing back alerts from vCOPs to find that everything is ok within the environment and it was just a different workload temporarily running on the VM that caused the anomalies to trigger. And as for capacity planning, well that’s just another massive pain in the ass. vCOPs does however provide fairly decent capacity planning in comparison to most other tools but it’s still clumsy and limited regarding customisation. It’s a bit like trying to reason with a 2 year old, you think you’re making progress but you eventually realise that it’s not going to do exactly as you wanted and will still throw your iPhone down the toilet anyway. (pesky kids :-)) vCOPS lets you add hosts/VMs etc but it’s just feels clunky and makes it difficult factor in all aspects of your infrastructure.

What I like about VMTurbo? Read More

post

SRM 5.1 Failover Test

by Posted in How-To, SRM Tagged , , , , Leave a comment

Over the weekend I had to run a failover test for an application within SRM. As SRM can only replicate down to the datastore level and not the VM level this meant doing a full test failover of all VMs but ensuring beforehand that all protected VMs in the Protection Group were set to Isolated Network on the recovery site. This ensure that even though all VMs would be started in the recovery site they would not be accessible on the network and therefore not cause any conflicts. The main concern, outside of a VM not connecting to the isolated network, was that the VM being tested and the application that sits on it are running on Windows 2000. Yes, that’s not a typo the server is running Windows 2000. The application is from back around that period as well so if it drops and can’t be recovered then it’s a massive headache.

Failover Test:

 Step 1: Power down the production VM

SRM steps shutdown server

Step 2: Perform Test Recovery

Go to Recovery Plans -> Protection Groups and select Test

SRM Protection Group Test

When the prompt comes to begin the test verify the direction of the recovery, from the protected site to the recovery site. Enable the Replicate recent changes to recovery site. In most cases you will be already running synchronous writes between the sites and the data will just about be up to date anyway. It is recommended however to perform a recent change replication anyway to make sure that all data is up to date.

SRM Test Recover Plan

 

Click Next and then click Start to confirm the test recovery

SRM Test Recovery Plan Complete Read More

post

vForum – Melbourne

by Posted in General, Veeam, VMware Tagged , , , Leave a comment

Earlier this week I attended the VMware vForum roadshow as it came to Melbourne for the first time. As part of the 10 year anniversary of vForum in Australia VMware have decided to bring the show on the road and do a whistle stop tour in each of the state capitals. This is a great idea. Even if it’s only a one day event and not the two-day event that normally takes place in Sydney it’s still good to have easy access to the event. The last vForum I went to was 2 years ago working with a vendor so it’s a different experience being on the opposite side and also getting the time to take in as many of the sessions as I could. Maybe it’s more experience and better knowledge on my part but I felt that I got far more out of the sessions at this vForum that any other conference/roadshow I’ve attend.

The biggest announcements were tied to VMware’s bid for a Hybrid Cloud and device mobility with a focus on Airwatch by VMware.  Last week at vForum Sydney VMware announced that they were partnering with Telstra to deliver the first vCloud Air environment in Australia early next year. This week it was confirmed by Telstra that the datacenter is located in Clayton in Melbourne and that vCloud Air is scheduled for the first quarter of 2015. I attended a session by Telstra and it was interesting that they announced VBlock as their platform for vCloud Air. I know Telstra has a mixed environment and it’s not immensely surprised that VMware’s sister company EMC would the storage vendor of choice. Telstra also announced that their NextIP customers would not incur any extra costs for moving data in and out of the vCloud Air service. A bonus really for those clients. I’ll come to the configuration specifications of vCloud Air in a moment. As with all of these events there are some dud sessions but some that really open your eyes. Likewise with vendors. I had some really insightful chats with the guys from Veeam, PernixData and AirWatch. These 3 vendors are adding something new to data center or mobile technologies and are the ones that link into what I’m working on at the moment. The main take-aways for each of these were:

Airwatch
  • Corporate App Store
  • Control app and desktop access via policies
  • Don’t think of it from a technology perspective but from a use case perspective – this was constantly reiterated by Rob Roe of Airwatch
  • Allows single sign-on with SAMIL so that when you launch the app it logs in automatically
Pernix Data
  • Creates a flash cluster from locally installed cache to take the workload off of the storage
  • It uses flash for read write and provides flash resilience as data is copied between flash and later flushed to persistent storage
  • Great for exchange, SQL and oracle
  • Zettagrid have implemented it for their environment for exchange and have seen immense improvement.
  • VMware are also working with SanDisk on a something similar to this solution. Pernix Data’s argument is that they  are more evolved so will still be relevant

Veeam

  • Netapp snapshots run 18x times faster than commvault for full and 12x faster for incremental. No need to do full scans of volumes before hand like commvault does.
  • Agentless always awesome
  • Doesn’t have to present the snap back up to the hypervisor. Veeam manages it’s snapshots through CBT
  • Has new cloud connect platform to backup over wan to cloud. Within cloud you can deploy veeam and quickly and easily restore back.
  • Now has a free endpoint backup software for laptop backups to either local or remote backup. Swaps restores back to the end user. Currently free but is still fully supported with Veeam. Can also be used on physical servers. There is no central management console right now but most likely will be in the next year. Veeam have a history of making free editions of apps to bring in new customers

Before I get into vCloud Air one of the other sessions I went to was around the vRealize Suite which helped to clarify what they are trying to do in this space and what some of the new features are. VMware has essentially packaged all their peripheral software into on bundle which now provides massive value-add to the end user. You now have the choice to use VMware for the infrastructure, cloud, monitoring, BI, automation and virtual networking. They are going for the whole show. Some of the new features of Operations Manager (formerly vSOM) are:

  • Now can be clustered and scale on ops manager
  • No more appliance, just one box
  • Ops mgr will be released at the end of the year
  • Can now handle 64000 objects compared to the current 6000
  • Log insight is the splunk of VMware, not charged on a log data amount but on instance numbers
  • They took out the numbers in the status badges as it was too confusing.

vcloudAir options

So vCloud Air. vCloud Air will utilise VMware vCloud Director to create multi-tenant environments with isolated resources. This will make it easier, and is VMware’s argument, to migrate to vCloud Air without having to change any configuration of the VM or the application, there’s no performance change on VMs when transferred to cloud. There’s also no need for the admins to learn new tools as vCloud Air is just an extension of their current VMWare environment. vCloud Air will run on ESXi just as your own production systems do. This is also where VMware differs from the other cloud providers. If you’re not running VMware then chances are you not going to be looking at vCloud Air as an option. As mentioned already it will be hosted by Telstra and it can be a dedicated cloud or virtual private cloud. There are also options to use just the Disaster Recovery option or just Desktop as a Service from vCloud Air. It runs on logically separated storage for the virtual private cloud. Everything is shared. If dedicated storage required a cross connect from Telstra colo required. vCloud Air will have 11 sites globally and will have HA built in. The migration options to vCloud Air are using OVF imports one at a time or offline transfer or to use vCloud connector to move VM or template one at a time, over https uploads via APIs.

You can get more information on vCloud Air from here:

www.vmware.com/go/vcloudair 

http://vCloud.vmware.com

To me vCloud Air is promising and is a good first step from VMware. I’ve been researching a few other potential Cloud solutions over the past few weeks and it fits into a potential use case for us. There are other possiblities such as just using Amazon or Azure, or even using NetApp Cloud OnTap in Amazon AWS or even other cloud providers such as AT&T, Telstra. And lets not forget Cisco InterCloud Fabric. I’ll try to review some of these in the coming weeks.
vForum to me was a success and I hope that VMware follow a similar formula next year and bring vForum to the masses.
post

Trend Deep Security Manager 9 – Post Installation Issue

by Posted in Trend, Trend Deep Security Tagged , , , Leave a comment

DSVA Security Update Failed:

Once I had the full Trend Deep Security Manager environment installed I ran the Download Security Updates command to get the latest updates from the Trend website. When trying to update the DSVA I got the following error:
Error Code: -1073676286 Error Message: IAU_STATUS_NETWORK_CONNECTION_FAILURE https://trendserver1:4122/ 
I ran a putty session on the ESX host server (where DSVA security update fails) and saw that there is an entry under vmkernel.log that shows “DSVA not bound”. When I logged into vShield Manager and checked the ESX Host summary and saw that vShield Endpoint was installed but that there were no items listed in Service Virtual Machines. This should show the name of the protected DSVA on that host.
The issue occurs when the DSVA and filter driver improperly bind, causing communication failure between DSVA and the VM to protect. To successfully activate the VM:
  1. Ensure that the value 169.254.1.1 is bound to Dvfilter-dsa.
    1. On the vCenter, click the ESXi host.
    2. Go to Configuration tab > Advanced Settings > Net.
    3. Make sure that the value of Net.DVFilterBindIPAddress is “169.254.1.1”.
  2. Make sure that the dvfilter is listening to port 2222.
    1. On the vCenter, click the ESXi host.
    2. Go to Configuration tab > Security Profile.
    3. Under Firewall, click Properties.
    4. Ensure that the dvfilter is selected and listening to port 2222.
  3. Restart the filter driver.
    1. Put the ESXi on maintenance mode. This requires turning off the VMs or migrating them to another ESXi host.
    2. Connect to the ESXi host via SSH using Putty.
    3. Run the command “esxcfg-module -u dvfilter-dsa” to unload the filter driver.
    4. Run the command “esxcfg-module dvfilter-dsa” to reload the filter driver.
    5. Exit the ESXi from maintenance mode.
  4. Power on the DSVA.
  5. On the Deep Security Manager (DSM) console, make sure that the DSVA status is “Managed-Online” and the vShield Endpoint status is “Registered”.
  6. Activate the VM.
Activation will be successful and the “Dvfilter-dsa: update_sp_binding: DSVA not bound” will no longer appear on the ESXi log.
Deactivating and re-activating the DSVAs fixed this issue.

 

post

Trend Deep Security Manager 9 – Install and Configure (again!)

by Posted in Cloud Computing, How-To, Trend, Trend Deep Security Tagged , , , 2 Comments

While working on a recent project for a client utilising Cisco UCS and NetApp for a cloud offering I was tasked with getting Trend Deep Security 9 working for a multi-tenant cloud environment. The primary caveat is that the environment isn’t true end-to-end multi-tenancy as the virtualisation layer is not fully segregated. vCloud Director or another similar tool has not been used but rather the vCloud Suite from VMware and segregation is at the network and storage layers through the use of vDCs on Nexus 7k (network) and SVMs on NetApp Clustered Data OnTap (storage virtual machines). In the production environment Trend Micro professional services were engaged to deliver the original design. Part of the criteria given to them was not to enable multi-tenant mode within the Shared Resources cluster as the tenants would not be managing their own anti-virus protection or scanning. In order to satisfy the requirements of multiple VMware clusters protected by one Anti-virus package a DSM was deployed on each cluster and managed from a central console within the Management cluster. I will go into more of a discussion on the ideal architectural design for multi-tenant anti-virus in another posting.

And so to the beginning of the troubles. No anti-virus solution is really ever straight-forward. There’s a number of policies and exclusions to consider for both operating systems and specific applications and usually there is lack of distinct information within the installation and admin guides. Trend Micro Deep Security Manager is no different. This however is not a huge criticism of Trend, they have to make their documentation as generic as possible for multiple use cases. It does make installation just that bit more frustrating though. You can find the full Deep Security 9.0 Installation Guide here.

Trend Micro Deep Security consists of a number of components that work together to provide protection against viruses and malware in real-time. It can also provide Intrusion Prevention, Web Reputation, Firewalling, File Integrity Monitoring and Log Inspection. It is also available as both agent-based and agentless options. The component of Trend Deep Security are:

  • Deep Security Management Console (DSM) – this server (recommended to be virtualised) is the central web-based management console for controlling and managing all Deep Security enforcement components (DSA’s and DSVA’s). The Server is recommended to be Windows Server 2008/2012 R2 64bit.. It is important that it is installed on a different ESXi host to that hosting the VM’s which are protected by the DSM. The DSM should be allocated 8GB and have 4 vCPU allocated. This configuration will be capable of serving up to 10000 agents. The MS SQL database size is relatively small at around 20GB for 10,000 agents.
  • Deep Security Relay (DSR) – this server is responsible for contacting Trend Micro’s Security Centre for collection of platform and security updates and relaying this consolidated information back to the DSM and to Agents and Virtual Appliances. The DSR will also be virtualised at Interactive with 8GB ram and 4 vCPU. This configuration will be capable of serving up to 10,000 agents. The Relay has an embedded Agent to provide local protection on the host machine. In the case of multiple relays each will act independently and synchronise their local databases with the Trend Security Centre.
  • Deep Security Virtual Appliance (DSVA) – this server is a virtual machine appliance that is installed on every ESXi host. The DSVA enables agentless Deep Security control and management within the hypervisor, providing Anti-Malware, Intrusion Prevention, Integrity Monitoring, Firewall, Web Application Protection and Application Control protection to each VM. The agentless control is only currently available for vSphere 5.1 or earlier. Support for VMware 5.5 will be available in 2014 Q2. The DSVA will communicate directly with the DSM and it is recommended to enable affinity rules within VMware to lock each DSVA to their required ESXi host.
  • Deep Security Agent – for non-Windows servers (such as Linux), the agent is deployed directly to the VM’s OS computer, providing Intrusion Prevention, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. This is the traditional client-server deployment model and the agent could be included within the imaging process or pushed out from the DSM. DSA will also be necessary on all VM’s within a vSphere 5.5 hypervisor until Q2 2014 (after which a DSVA can be used with vSphere 5.5).
  • Smart Protection Server. Web reputation works by clients contacting Trend Micro’s Smart Protection Service on the Internet. Rather than all clients accessing this service, it is possible to deploy Trend Micro’s Smart Protection Server as a VM. The Smart Protection Server will periodically update its URL list allowing it to locally respond to client requests for web reputation ratings. This component is normally part of the Trend Micro Office Scan products and using it may incur an additional licensing fee. Given that the DSVA also caches similar data, this product is not recommended. Hence, the DSVA and DSA will regularly be checking web reputation over the Internet.
  • Deep Security Notifier – is aWindows System Tray application that communicates the state of the Deep Security Agent and Deep Security Relay on local computers. A DSA and DSR already contain the Notifier but for Windows guests protected by the DSVA will need ti install the Notifier as a standalone application.

Read More